Depositphotos 30827983 s 2015Want to know how to save money in a data breach?  You have to have a plan before you have the data breach to keep you from making costly mistakes.  Everyone knows a data breach can be expensive but there are studies that show us what makes them more expensive and what helps you save money.  The annual Ponemon cost of a data breach study has been published.  IBM sponsors the study each year and it is one of the best tools for us to prepare for the cost of a data breach.  If you have any valuable data at all you should review the report to get an estimate of what the cost of a data breach would be for your organization.  Let’s dig into some numbers and add a bit of perspective, shall we?


A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

How to save money in a data breach

Today’s Episode is brought to you by:

Kardon and HIPAA for MSPs / Security First IT

Next HIPAA Boot Camp

(get on the waitlist now)

Want to be part of Help Me With HIPAA? Donate to the cause at

HMWH App now has more features.  You can now access a PDF with the show notes ready for your HIPAA training documentation!  Find it under the bonus feature in the app for both the Apple and Android versions.  It is a little gift box on the app bar.

Like us and leave a review on our Facebook page:


How to save money in a data breach

There are some great little tidbits in the latest report.  They have done some new calculations and clarified some of the ones they have done for years.  Let’s get down to the numbers most people will quote.  Average costs per record in a data breach haven’t changed dramatically but they did inch up a bit.

Global Results Summary

pasted image 0 1

Source:   2018 Cost of a Data Breach Study: Global Overview – Ponemon Institute

It is important to note that these are global numbers.  The US is more expensive than many of the countries included in the research.  If you are a business in the US you could consider these something between an average and a minimum.  Either way, the math here can be very shocking and create a lot of stress for most businesses.

The average cost per record of a data breach sits at $148 now which is a 4.8% increase from last year’s report.  Since the primary reason for data breaches is malicious insiders or external hackers they are getting a lot of records each time.  That is why we see a total average cost of $3.86 million.  Keep in mind that figure contains both hard and soft costs.  We will go into the difference in a bit.

Another stat to note is the likelihood of having another data breach after you have had one.  If you suffer from one data breach you are now 28% more likely to have another one in the next two years.  OUCH!

How can you make these numbers relate to you?  If you only consider half of that global average as your costs you still have $1.93 million to worry about!  There is no way a $50,000 cybersecurity policy will put a dent in that kind of number.

Let’s break it down to the per record costs though.  Take the number of valuable records that you have access to in your business operations to get a better number for you.  Along with the global average they also provided us the average cost per record in the United States at the top spot of $233 and by industry where healthcare takes the cheese at the top spot of $408 per record.  Heigh ho, the derry-o the cheese stands alone.

Based on those averages here is a reflection of the costs based on a number of records just for our reference here.

Records Global Avg US Avg Healthcare Avg
$148 $233 $408
1,000 $148,000 $233,000 $408,000
5,000 $740,000 $1,165,000 $2,040,000
15,000 $2,220,000 $3,495,000 $6,120,000
25,000 $3,700,000 $5,825,000 $10,200,000
50,000 $7,400,000 $11,650,000 $20,400,000
80,000 $11,840,000 $18,640,000 $32,640,000

No matter how I look at those numbers I will be waiting tables in Mérida, MX.  Yes, I have now selected a place AND the name (Consuela as many of you know).  What is most important here is not to just throw around numbers to create the scare factor.  Let’s get some actual things we can DO to change the numbers, hopefully in our favor.  Thankfully, the report gives us those numbers also.

Source:   2018 Cost of a Data Breach Study: Global Overview – IBM and Ponemon Institutefull united states@3x

What are some of the elements in those costs?

There are several things that make up those costs.  These are a few of the ones I found most interesting.

pasted image 0

Source:   2018 Cost of a Data Breach Study: Global Overview – Ponemon Institute

Most people don’t realize the costs for making the notifications.  You can send an email IF you have them sign a confirmation that they are ok with the breach notification via email.  You can’t just rely on the standard contact me via email language that many sites use.  The language must say that contacting via email is ok for breach investigations.  That means if you need to send even just 1000 notifications you need to do so on via first class mail.  The $740,000 number listed here is the average for the US.  Healthcare would likely be much higher.

I’ve heard all kinds of per person numbers but the most common is something around $3.50 just for mailing the letters.  According to Ponemon’s description, the costs include “creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, email bounce-backs, and inbound communication set up” which covers a good bit of activity.

pasted image 0 3

Source:   2018 Cost of a Data Breach Study: Global Overview – Ponemon Institute

Abnormal churn rates are the ones that are so very hard to calculate and plan to address.  This has to do with the loss of income based on losing customer whether they be consumers, businesses, or patients.

As the report states:

Companies in certain industries are more vulnerable to churn when customers can easily take their business to another competitor. Customers also have high expectations for the protection of their data in highly regulated industries, such as healthcare and financial services. When these organizations have a data breach, customers’ trust will decline and they will try to find a substitute. In contrast, the public sector, which has the lowest churn, has no competitor and customers have no other options.

Reputational damage is very hard to overcome.  It takes years in many cases.

How to increase or decrease costs in a data breach?

IBM funded this to ask the question how much does having an incident response team impact the overall costs of a data breach.  Ponemon is very meticulous about their surveys and doesn’t seem to be ones that are swayed by the funding source to provide the numbers they want to see.  That being said, the numbers are good for those who sell these services such as IBM.

pasted image 0 2

Source:   2018 Cost of a Data Breach Study: Global Overview – Ponemon Institute

Based on this chart the top 4 factors you can use to save money on the per-record cost are:

Improve/Implement Savings
Incident response team $14.00
Extensive use of encryption $13.10
Business continuity management plan in place $9.30
Employee training $9.30
Total $45.70

Those efforts change the average cost per record significantly in all cases.

Global Avg US Avg Healthcare Avg
$102 $187 $362

By making an investment in the top cost savings areas identified in the study would save a little less than $46 per lost or stolen record.  Imagine having 10,000 patients on file.  Investing $45,000 per year improving your program doesn’t seem so bad compared to the stress and problems that would come by not making the investment and having just one major data breach.

The report shows us how you can easily make things worse for yourself.  The top 4 factors that can make your cost per record even higher are:

Failure/Complication Amt
Third party involvement $13.40
Extensive cloud migration $11.90
Compliance failures $11.90
Extensive use of mobile $10.00
Total $47.20

Conversely, the effect on the average per capita cost is also significant on the other side of the spectrum.  A note about the cloud migration was helpful.  The costs increase if the breach occurs when you are in the midst of the extensive cloud migration.  The statement explained:

Organizations undergoing a major cloud migration at the time of the breach saw this increase to per capita cost by $12, with an adjusted average cost of $160 per record. An extensive cloud migration is one that consumes a significant amount of corporate IT resources. It is also senior management’s priority because of the expectation the cloud will reduce costs.

The averages get a lot harder to swallow for healthcare by jumping to $455 per record.  That is almost $100 per record swing from the best improvement to the worst case scenarios we are comparing here.

Global Avg US Avg Healthcare Avg
$195 $280 $455

If you want to make things better for everyone make sure you address both the top 4 cost savings as well as the top 4 cost increases.  The difference in your overall data breach costs could be significant.

No matter how you slice it a data breach of any size can be very expensive.  The more you do to prepare the less it will cost you.  If you aren’t prepared for it, then be prepared to pay even more when it does happen.  You know they say it isn’t if you will have one, it is when will you have one.  The hackers are confident when they point out that they only need to be right once; you must be right every time to keep them out.

Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance, it’s about patient care. TM